Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Enumeration of metadata names is a confidentiality impact (C:L), not integrity; all other metrics align with the provided CVSS vector.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionNVD
Missing permission checks in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allow attackers with Overall/Read permission to enumerate the names of configured Contrast metadata.
AnalysisAI
Missing authorization checks in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allow any authenticated Jenkins user with the low-privilege Overall/Read permission to enumerate the names of configured Contrast metadata via a network-accessible endpoint. The vulnerability is classified CWE-862 (Missing Authorization) and has an EPSS score of 0.15% (4th percentile), indicating negligible real-world exploitation activity. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be authenticated to the Jenkins instance with at minimum Overall/Read permission - the baseline access level for virtually any registered Jenkins user. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.3 (Medium) vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N contains a notable inconsistency: the described impact - enumerating configured metadata names - is a confidentiality concern (C:L), not an integrity concern (I:L); defenders should verify the vector against the vendor advisory at https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3697%20(2) before relying on it for risk scoring. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Jenkins user holding only the default Overall/Read permission sends a crafted HTTP request to the Contrast plugin's metadata enumeration endpoint. Because no additional permission check is enforced, the plugin returns the names of all configured Contrast metadata entries. … |
| Remediation | Upgrade the Jenkins Contrast Continuous Application Security Plugin to a version released after 3.11 by consulting the Jenkins Plugin Manager or the vendor advisory at https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3697%20(2); the exact fixed version is not independently confirmed from available data, so administrators should verify the latest release in the Jenkins update center. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Cross-site request forgery in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows a remote a
Missing authorization in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier permits any authentica
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38780
GHSA-8263-qv4g-vfxr